“Free” Wi-Fi from Xfinity and AT&T also frees you to be hacked

Ars tests how easy it is to spoof big broadband providers to grab data.

Welcome to a way for hackers to fool you into connecting to malicious networks and give up your personal data: a spoofed Xfinity login page.

Xfinity

If you've traveled and tried to get on the Internet, you've probably seen some pretty suspicious looking Wi-Fi networks with names like "Free Wi-Fi" and "Totally Free Internet." Those are likely access points you'd best avoid. But there's a much bigger threat to your security than somebody randomly fishing for you to connect to them—the networks you've already connected to and trusted, like AT&T and Xfinity.

Enlarge/ The default settings for the AT&T Wi-Fi network on my iPhone, before I got paranoid.

Mobile broadband providers are eager to get you to connect to their Wi-Fi-based networks while you’re away from home. AT&T has built a network of free hotspots for customers at thousands of places—including train stations, as well as Starbucks and McDonald's locations across the country. Comcast has spread its Xfinity wireless network far and wide as well, turning customers’ cable modems into public Wi-Fi hotspots accessible with an Xfinity account login.

These free Wi-Fi connections are popular, for good reason—they help reduce the amount of broadband cellular data you consume, and they often provide better network speeds than what you can manage over a 4G connection. But they also offer a really easy way for someone to surreptitiously tap into your Internet traffic and capture your account information for less-than-friendly purposes. Millions of AT&T and Xfinity customers could be leaving themselves exposed to surreptitious hacking of their Internet traffic, exposing their personal data as a result.

As we reported in our joint experiment with NPR, AT&T sets smartphones to recognize and connect to “attwifi” hotspots automatically. This can be switched off in iPhones by setting the phone to ask the user before connecting to networks when Wi-Fi is turned on but not associated with a hotspot. But that isn’t an option on many Android devices. (Update: as readers point out, the latest AT&T Android settings allow for auto-connect to be disabled.)

To demonstrate this, I set up my laptop as a Wi-Fi hotspot broadcasting the network name (SSID) “attwifi” (after alerting my neighbors, of course). After killing off the settings for my preferred networks on my iPhone, I turned on the Wi-Fi, and it connected to the fake “attwifi” hotspot without prompting.

Enlarge/ The captured traffic from my iPhone as it finds the fake "attwifi" hotspot and starts looking for things.

When I killed the “attwifi” network after a few seconds, my iPhone promptly demonstrated the further risks of auto-connecting—it automatically reconnected with another network in the list of trusted networks on my phone: a hotspot called “xfinitywifi.” I had used an Xfinity hotspot while waiting for an appointment a few days earlier, and suddenly I was logged into a hotspot running on my neighbor’s cable modem.

Enlarge/ When the fake AT&T network went away, a real Xfinity network connected me right away.

Comcast’s Xfinity wireless hotspots present a Web page for login that requests a customer’s account ID and password, and each time you connect to a new hotspot it re-authenticates you. But if you’ve connected once during the day, the hotspot remembers your device and reconnects you without prompting.

That means that if someone were to set up a malicious Wi-Fi access point called “xfinitywifi,” devices that have connected to Xfinity’s network before could automatically connect without alerting the user or asking for the password. Alternatively, using a “honeypot” tool such as PwnStar, an attacker could spoof both the “xfinitywifi” SSID and the Xfinity login page—stealing their Xfinity credentials in the process.

PwnStar includes the ability to redirect devices connecting to a Web page on the attacking system, record credentials, and then pass the victim on to Internet access as if nothing had happened—meanwhile launching man-in-the-middle attacks against the client (as I demonstrated for myself using an SSID called “notxfinity” to deter any of my neighbors from trying to connect to it).

By the way, those Xfinity Wi-Fi login credentials? They’re the same set of credentials used to gain access to Comcast customers’ account billing information, webmail, and other services.

This is not to say that AT&T’s and Xfinity’s networks are insecure in themselves. They are just common enough to give someone with evil in mind a way to cast a wide net for potential victims over Wi-Fi. The same tools I used to spoof Xfinity could be set to automatically respond to a victim’s phone as any Wi-Fi access point they’ve trusted. That’s because of the probe requests generated by smartphones and Wi-Fi—when you turn on your phone’s Wi-Fi adapter, it will seek out any network you’ve ever connected to that it was not told to forget. When I set my attack access point (the laptop) to not connect devices but to respond to all probe requests, my iPhone attempted in turn to connect to every Wi-Fi network I’ve connected to this year. That in itself can be a privacy concern, since the SSIDs and other data associated with those probe requests can be used to essentially map out my movements.

This sort of attack can be played out anywhere you’d normally connect to a public Wi-Fi network. Tools like the ones I’ve tested can be set up to actively go after a user of a public network, force them to disconnect from their existing Wi-Fi network, and then pick up that connection themselves. All of this can be done with something as small as an Android phone as well, using a broadband cellular connection to provide victims with uninterrupted Internet access, as we saw with the PwnPhone.

Sean Gallagher / Sean is Ars Technica's IT Editor. A former Navy officer, systems administrator, and network systems integrator with 20 years of IT journalism experience, he lives and works in Baltimore, Maryland.